Commit all scripts, diagrams, and documents to the repository for versioning and history.

Note that WSO2 can facilitate the following upon your request:

Arrange a third-party consultant to carry out pen tests.

Reports and dashboards on the Production environment.

Managing remote access

WSO2 recommends you to do all Managed Cloud deployments in an Amazon Virtual Private Cloud (Amazon VPC). A VPC enables you to launch Amazon Web Services (AWS) into a virtual network that you define. A VPC improves the security of your data by providing network-level control and isolation for the AWS. You can keep your data and configurations in a private space and expose them through the DMZ. This virtual network closely resembles a traditional network, but with improved security and scalability.

To set up your Cloud environments, WSO2 requires access to your Amazon EC2 instances. We access these instances over SSH only, with a Bastion host working as the SSH gateway. The Bastian host can either reside in the VPC or in your own datacenter. The diagrams below depict both scenarios.

Bastian host in the VPC

The Bastion host is in the public subnet and allows SSH traffic only to the WSO2 network via a non-standard port. All other hosts are configured to accept SSH requests from the Bastion host only.

<image>

Bastian host in your datacenter

The Bastion host is in your datacenter, and the other hosts are configured to accept SSH requests from the Bastion host only. When WSO2 DevOps want to connect to the Bastion host via SSH, they do it remotely via a client console.

<image>

In addition to the AWS instances, WSO2 requires access to the following resources:

All Linux hosts are configured with SNMP servers to The statistics are then presented in a dashboard that is exposed to the WSO2 network over HTTP/S. The dashboard is developed usingCacti, the network graphing solution.

Also Nagios NRPE extension is configured in all Linux hosts to monitor resource utilization and set thresholds. If any resource gets utilized beyond a certain threshold or if an Application isn’t responding properly alerts and notifications are triggered as depicted in the below diagram. For all stats collected via NRPE agents, ICinga is used as the presentation and dashboard tool and the dashboard will be exposed only to the WSO2 network over HTTP/S.

Since it’s required to communicate with third party services to extend alerts, all Monitoring hosts needs to have internet connectivity to reach out. This doesn’t mean that monitoring hosts should be placed in the public subnet.